- Preface
- New and Changed Security Features
- Configuring AAA Services
- Implementing Certification Authority Interoperability
- Implementing Keychain Management
- Implementing Lawful Intercept
- Implementing Management Plane Protection
- Configuring Software Authentication Manager
- Implementing Secure Shell
- Implementing Secure Socket Layer
- Configuring FIPS Mode
- Index
- Prerequisites for Implementing Certification Authority
- Restrictions for Implementing Certification Authority
- Information About Implementing Certification Authority
Implementing
Certification Authority Interoperability
Certification authority (CA) interoperability is provided in support of the IP Security (IPSec), Secure Socket Layer (SSL), and Secure Shell (SSH) protocols. CA interoperability permits Cisco XR 12000 Series Router devices and CAs to communicate so that your device can obtain and use digital certificates from the CA. Although IPSec can be implemented in your network without the use of a CA, using a CA provides manageability and scalability for IPSec.
This module describes the tasks that you need to implement CA interoperability on your Cisco IOS XR software network.
Note | For a complete description of the public key infrastructure (PKI) commands used in this chapter, refer to the Public Key Infrastructure Commands module in Cisco IOS XR System Security Command Reference for the Cisco XR 12000 Series Router. To locate documentation for other commands that appear in this chapter, use the command reference master index, or search online. |
Feature History for Implementing Certification Authority Interoperability
Release |
Modification |
---|---|
Release 3.2 |
This feature was introduced. |
Release 3.4.0 |
A procedure was added on how to declare the trustpoint certification authority (CA). |
Release 5.2 |
A section was added on trust pool management |
- Prerequisites for Implementing Certification Authority
- Restrictions for Implementing Certification Authority
- Information About Implementing Certification Authority
- How to Implement CA Interoperability
- Configuration Examples for Implementing Certification Authority Interoperability
- Where to Go Next
- Additional References
Prerequisites for Implementing Certification Authority
The following prerequisites are required to implement CA interoperability:
-
You must be in a user group associated with a task group that includes the proper task IDs. The command reference guides include the task IDs required for each command. If you suspect user group assignment is preventing you from using a command, contact your AAA administrator for assistance.
-
You must install and activate the Package Installation Envelope (PIE) for the security software.
For detailed information about optional PIE installation, refer to Cisco IOS XR System Management Configuration Guide for the Cisco XR 12000 Series Router
-
You need to have a CA available to your network before you configure this interoperability feature. The CA must support Cisco Systems PKI protocol, the simple certificate enrollment protocol (SCEP) (formerly called certificate enrollment protocol [CEP]).
Restrictions for Implementing Certification Authority
Cisco IOS XR software does not support CA server public keys greater than 2048 bits.
Information About Implementing Certification Authority
To implement CA, you need to understand the following concepts:
Supported Standards for Certification Authority Interoperability
Cisco supports the following standards:
-
IPSec—IP Security Protocol. IPSec is a framework of open standards that provides data confidentiality, data integrity, and data authentication between participating peers. IPSec provides these security services at the IP layer; it uses Internet Key Exchange (IKE) to handle negotiation of protocols and algorithms based on local policy, and to generate the encryption and authentication keys to be used by IPSec. IPSec can be used to protect one or more data flows between a pair of hosts, a pair of security gateways, or a security gateway and a host.
-
IKE—A hybrid protocol that implements Oakley and Skeme key exchanges inside the Internet Security Association Key Management Protocol (ISAKMP) framework. Although IKE can be used with other protocols, its initial implementation is with the IPSec protocol. IKE provides authentication of the IPSec peers, negotiates IPSec keys, and negotiates IPSec security associations (SAs).
-
Public-Key Cryptography Standard #7 (PKCS #7)—A standard from RSA Data Security Inc. used to encrypt and sign certificate enrollment messages.
-
Public-Key Cryptography Standard #10 (PKCS #10)—A standard syntax from RSA Data Security Inc. for certificate requests.
-
RSA keys—RSA is the public key cryptographic system developed by Ron Rivest, Adi Shamir, and Leonard Adelman. RSA keys come in pairs: one public key and one private key.
-
SSL—Secure Socket Layer protocol.
-
X.509v3 certificates—Certificate support that allows the IPSec-protected network to scale by providing the equivalent of a digital ID card to each device. When two devices want to communicate, they exchange digital certificates to prove their identity (thus removing the need to manually exchange public keys with each peer or specify a shared key at each peer). These certificates are obtained from a CA. X.509 as part of the X.500 standard of the ITU.
Certification Authorities
The following sections provide background information about CAs:
- Purpose of CAs
- IPSec Without CAs
- IPSec with CAs
- IPSec with Multiple Trustpoint CAs
- How IPSec Devices Use CA Certificates
- CA Registration Authorities
Purpose of CAs
CAs are responsible for managing certificate requests and issuing certificates to participating IPSec network devices. These services provide centralized key management for the participating devices.
CAs simplify the administration of IPSec network devices. You can use a CA with a network containing multiple IPSec-compliant devices, such as routers.
Digital signatures, enabled by public key cryptography, provide a means of digitally authenticating devices and individual users. In public key cryptography, such as the RSA encryption system, each user has a key pair containing both a public and a private key. The keys act as complements, and anything encrypted with one of the keys can be decrypted with the other. In simple terms, a signature is formed when data is encrypted with a user’s private key. The receiver verifies the signature by decrypting the message with the sender’s public key. The fact that the message could be decrypted using the sender’s public key indicates that the holder of the private key, the sender, must have created the message. This process relies on the receiver’s having a copy of the sender’s public key and knowing with a high degree of certainty that it does belong to the sender and not to someone pretending to be the sender.
Digital certificates provide the link. A digital certificate contains information to identify a user or device, such as the name, serial number, company, department, or IP address. It also contains a copy of the entity’s public key. The certificate is itself signed by a CA, a third party that is explicitly trusted by the receiver to validate identities and to create digital certificates.
To validate the signature of the CA, the receiver must first know the CA’s public key. Normally, this process is handled out-of-band or through an operation done at installation. For instance, most web browsers are configured with the public keys of several CAs by default. IKE, an essential component of IPSec, can use digital signatures to authenticate peer devices for scalability before setting up SAs.
Without digital signatures, a user must manually exchange either public keys or secrets between each pair of devices that use IPSec to protect communication between them. Without certificates, every new device added to the network requires a configuration change on every other device with which it communicates securely. With digital certificates, each device is enrolled with a CA. When two devices want to communicate, they exchange certificates and digitally sign data to authenticate each other. When a new device is added to the network, a user simply enrolls that device with a CA, and none of the other devices needs modification. When the new device attempts an IPSec connection, certificates are automatically exchanged and the device can be authenticated.
IPSec Without CAs
Without a CA, if you want to enable IPSec services (such as encryption) between two Cisco routers, you must first ensure that each router has the key of the other router (such as an RSA public key or a shared key). This requirement means that you must manually perform one of the following operations:
-
At each router, enter the RSA public key of the other router.
-
At each router, specify a shared key to be used by both routers.
If you have multiple Cisco routers in a mesh topology and want to exchange IPSec traffic passing among all of those routers, you must first configure shared keys or RSA public keys among all of those routers.
Every time a new router is added to the IPSec network, you must configure keys between the new router and each of the existing routers.
Consequently, the more devices there are that require IPSec services, the more involved the key administration becomes. This approach does not scale well for larger, more complex encrypting networks.
IPSec with CAs
With a CA, you need not configure keys between all the encrypting routers. Instead, you individually enroll each participating router with the CA, requesting a certificate for the router. When this enrollment has been accomplished, each participating router can dynamically authenticate all the other participating routers.
To add a new IPSec router to the network, you need only configure that new router to request a certificate from the CA, instead of making multiple key configurations with all the other existing IPSec routers.
IPSec with Multiple Trustpoint CAs
With multiple trustpoint CAs, you no longer have to enroll a router with the CA that issued a certificate to a peer. Instead, you configure a router with multiple CAs that it trusts. Thus, a router can use a configured CA (a trusted root) to verify certificates offered by a peer that were not issued by the same CA defined in the identity of the router.
Configuring multiple CAs allows two or more routers enrolled under different domains (different CAs) to verify the identity of each other when using IKE to set up IPSec tunnels.
Through SCEP, each router is configured with a CA (the enrollment CA). The CA issues a certificate to the router that is signed with the private key of the CA. To verify the certificates of peers in the same domain, the router is also configured with the root certificate of the enrollment CA.
To verify the certificate of a peer from a different domain, the root certificate of the enrollment CA in the domain of the peer must be configured securely in the router.
During IKE phase one signature verification, the initiator will send the responder a list of its CA certificates. The responder should send the certificate issued by one of the CAs in the list. If the certificate is verified, the router saves the public key contained in the certificate on its public key ring.
With multiple root CAs, Virtual Private Network (VPN) users can establish trust in one domain and easily and securely distribute it to other domains. Thus, the required private communication channel between entities authenticated under different domains can occur.
How IPSec Devices Use CA Certificates
When two IPSec routers want to exchange IPSec-protected traffic passing between them, they must first authenticate each other—otherwise, IPSec protection cannot occur. The authentication is done with IKE.
Without a CA, a router authenticates itself to the remote router using either RSA-encrypted nonces or preshared keys. Both methods require keys to have been previously configured between the two routers.
With a CA, a router authenticates itself to the remote router by sending a certificate to the remote router and performing some public key cryptography. Each router must send its own unique certificate that was issued and validated by the CA. This process works because the certificate of each router encapsulates the public key of the router, each certificate is authenticated by the CA, and all participating routers recognize the CA as an authenticating authority. This scheme is called IKE with an RSA signature.
Your router can continue sending its own certificate for multiple IPSec sessions and to multiple IPSec peers until the certificate expires. When its certificate expires, the router administrator must obtain a new one from the CA.
When your router receives a certificate from a peer from another domain (with a different CA), the certificate revocation list (CRL) downloaded from the CA of the router does not include certificate information about the peer. Therefore, you should check the CRL published by the configured trustpoint with the Lightweight Directory Access Protocol (LDAP) URL to ensure that the certificate of the peer has not been revoked.
To query the CRL published by the configured trustpoint with the LDAP URL, use the query url command in trustpoint configuration mode.
CA Registration Authorities
Some CAs have a registration authority (RA) as part of their implementation. An RA is essentially a server that acts as a proxy for the CA so that CA functions can continue when the CA is offline.
How to Implement CA Interoperability
This section contains the following procedures:
- Configuring a Router Hostname and IP Domain Name
- Generating an RSA Key Pair
- Importing a Public Key to the Router
- Declaring a Certification Authority and Configuring a Trusted Point
- Authenticating the CA
- Requesting Your Own Certificates
- Configuring Certificate Enrollment Using Cut-and-Paste
Configuring a Router Hostname and IP Domain Name
This task configures a router hostname and IP domain name.
You must configure the hostname and IP domain name of the router if they have not already been configured. The hostname and IP domain name are required because the router assigns a fully qualified domain name (FQDN) to the keys and certificates used by IPSec, and the FQDN is based on the hostname and IP domain name you assign to the router. For example, a certificate named router20.example.com is based on a router hostname of router20 and a router IP domain name of example.com.
1.
configure
2.
hostname
name
3.
domain name
domain-name
4.
commit
DETAILED STEPS
Command or Action | Purpose |
---|
Generating an RSA Key Pair
This task generates an RSA key pair.
RSA key pairs are used to sign and encrypt IKE key management messages and are required before you can obtain a certificate for your router.
1.
crypto key generate rsa
[usage keys |
general-keys] [keypair-label]
2.
crypto key zeroize rsa
[keypair-label]
3.
show crypto key mypubkey
rsa
DETAILED STEPS
Importing a Public Key to the Router
This task imports a public key to the router.
A public key is imported to the router to authenticate the user.
1.
crypto key import
authentication rsa [usage keys |
general-keys] [keypair-label]
2.
show crypto key mypubkey
rsa
DETAILED STEPS
Declaring a Certification Authority and Configuring a Trusted Point
This task declares a CA and configures a trusted point.
1.
configure
2.
crypto ca trustpoint
ca-name
3.
enrollment url
CA-URL
4.
query url
LDAP-URL
5.
enrollment retry period
minutes
6.
enrollment retry count
number
7.
rsakeypair
keypair-label
8.
commit
DETAILED STEPS
Authenticating the CA
This task authenticates the CA to your router.
The router must authenticate the CA by obtaining the self-signed certificate of the CA, which contains the public key of the CA. Because the certificate of the CA is self-signed (the CA signs its own certificate), manually authenticate the public key of the CA by contacting the CA administrator to compare the fingerprint of the CA certificate.
1.
crypto ca authenticate
ca-name
2.
show crypto
ca certificates
DETAILED STEPS
Requesting Your Own Certificates
This task requests certificates from the CA.
You must obtain a signed certificate from the CA for each of your router’s RSA key pairs. If you generated general-purpose RSA keys, your router has only one RSA key pair and needs only one certificate. If you previously generated special usage RSA keys, your router has two RSA key pairs and needs two certificates.
1.
crypto ca enroll
ca-name
2.
show crypto ca
certificates
DETAILED STEPS
Configuring Certificate Enrollment Using Cut-and-Paste
This task declares the trustpoint certification authority (CA) that your router should use and configures that trustpoint CA for manual enrollment by using cut-and-paste.
1.
configure
2.
crypto ca
trustpoint
ca-name
3.
enrollment
terminal
4.
commit
5.
crypto ca
authenticate
ca-name
6.
crypto ca
enroll
ca-name
7. crypto ca import ca- name certificate
8.
show
crypto ca certificates
DETAILED STEPS
Command or Action | Purpose | |||
---|---|---|---|---|
Step 1 |
configure
| |||
Step 2 |
crypto ca
trustpoint
ca-name
Example: RP/0/0/CPU0:router(config)# crypto ca trustpoint myca RP/0/0/CPU0:router(config-trustp)# |
Declares the CA that your router should use and enters trustpoint configuration mode. | ||
Step 3 |
enrollment
terminal
Example: RP/0/0/CPU0:router(config-trustp)# enrollment terminal
|
Specifies manual cut-and-paste certificate enrollment. | ||
Step 4 |
commit
| |||
Step 5 |
crypto ca
authenticate
ca-name
Example: RP/0/0/CPU0:router# crypto ca authenticate myca
|
Authenticates the CA by obtaining the certificate of the CA.
| ||
Step 6 |
crypto ca
enroll
ca-name
Example: RP/0/0/CPU0:router# crypto ca enroll myca
|
Obtains the certificates for your router from the CA. | ||
Step 7 |
crypto ca
import
ca-
name
certificate
Example: RP/0/0/CPU0:router# crypto ca import myca certificate
|
Imports a certificate manually at the terminal.
| ||
Step 8 |
show
crypto ca certificates
Example: RP/0/0/CPU0:router# show crypto ca certificates
|
Displays information about your certificate and the CA certificate. |
Configuration Examples for Implementing Certification Authority Interoperability
This section provides the following configuration example:
Configuring Certification Authority Interoperability: Example
The following example shows how to configure CA interoperability.
Comments are included within the configuration to explain various commands.
configure hostname myrouter domain name mydomain.com end Uncommitted changes found, commit them? [yes]:yes crypto key generate rsa mykey The name for the keys will be:mykey Choose the size of the key modulus in the range of 360 to 2048 for your General Purpose Keypair Choosing a key modulus greater than 512 may take a few minutes. How many bits in the modulus [1024]: Generating RSA keys ... Done w/ crypto generate keypair [OK] show crypto key mypubkey rsa Key label:mykey Type :RSA General purpose Size :1024 Created :17:33:23 UTC Thu Sep 18 2003 Data : 30819F30 0D06092A 864886F7 0D010101 05000381 8D003081 89028181 00CB8D86 BF6707AA FD7E4F08 A1F70080 B9E6016B 8128004C B477817B BCF35106 BC60B06E 07A417FD 7979D262 B35465A6 1D3B70D1 36ACAFBD 7F91D5A0 CFB0EE91 B9D52C69 7CAF89ED F66A6A58 89EEF776 A03916CB 3663FB17 B7DBEBF8 1C54AF7F 293F3004 C15B08A8 C6965F1E 289DD724 BD40AF59 E90E44D5 7D590000 5C4BEA9D B5020301 0001 ! The following commands declare a CA and configure a trusted point. configure crypto ca trustpoint myca enrollment url http://xyz-ultra5 enrollment retry count 25 enrollment retry period 2 rsakeypair mykey end Uncommitted changes found, commit them? [yes]:yes ! The following command authenticates the CA to your router. crypto ca authenticate myca Serial Number :01 Subject Name : cn=Root coax-u10 Certificate Manager,ou=HFR,o=Cisco Systems,l=San Jose,st=CA,c=US Issued By : cn=Root coax-u10 Certificate Manager,ou=HFR,o=Cisco Systems,l=San Jose,st=CA,c=US Validity Start :07:00:00 UTC Tue Aug 19 2003 Validity End :07:00:00 UTC Wed Aug 19 2020 Fingerprint:58 71 FB 94 55 65 D4 64 38 91 2B 00 61 E9 F8 05 Do you accept this certificate?? [yes/no]:yes ! The following command requests certificates for all of your RSA key pairs. crypto ca enroll myca % Start certificate enrollment ... % Create a challenge password. You will need to verbally provide this password to the CA Administrator in order to revoke your certificate. % For security reasons your password will not be saved in the configuration. % Please make a note of it. Password: Re-enter Password: Fingerprint: 17D8B38D ED2BDF2E DF8ADBF7 A7DBE35A ! The following command displays information about your certificate and the CA certificate. show crypto ca certificates Trustpoint :myca ========================================================== CA certificate Serial Number :01 Subject Name : cn=Root coax-u10 Certificate Manager,ou=HFR,o=Cisco Systems,l=San Jose,st=CA,c=US Issued By : cn=Root coax-u10 Certificate Manager,ou=HFR,o=Cisco Systems,l=San Jose,st=CA,c=US Validity Start :07:00:00 UTC Tue Aug 19 2003 Validity End :07:00:00 UTC Wed Aug 19 2020 Router certificate Key usage :General Purpose Status :Available Serial Number :6E Subject Name : unstructuredName=myrouter.mydomain.com,o=Cisco Systems Issued By : cn=Root coax-u10 Certificate Manager,ou=HFR,o=Cisco Systems,l=San Jose,st=CA,c=US Validity Start :21:43:14 UTC Mon Sep 22 2003 Validity End :21:43:14 UTC Mon Sep 29 2003 CRL Distribution Point ldap://coax-u10.cisco.com/CN=Root coax-u10 Certificate Manager,O=Cisco Systems
Where to Go Next
After you have finished configuring CA interoperability, you should configure IKE, IPSec, and SSL. IPSec in the Implementing IPSec Network Security on the Cisco IOS XR Softwaremodule, and SSL in the Implementing Secure Socket Layer on the Cisco IOS XR Softwaremodule. These modules are located in Cisco IOS XR System Security Configuration Guide for the Cisco XR 12000 Series Router (this publication).
Additional References
The following sections provide references related to implementing certification authority interoperability.
Related Documents
Related Topic |
Document Title |
---|---|
PKI commands: complete command syntax, command modes, command history, defaults, usage guidelines, and examples |
Public Key Infrastructure Commands on the Cisco IOS XR Software module in Cisco IOS XR System Security Command Reference for the Cisco XR 12000 Series Router. |
Standards
Standards |
Title |
---|---|
No new or modified standards are supported by this feature, and support for existing standards has not been modified by this feature. |
— |
MIBs
MIBs |
MIBs Link |
---|---|
— |
To locate and download MIBs using Cisco IOS XR software, use the Cisco MIB Locator found at the following URL and choose a platform under the Cisco Access Products menu: http://cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml |
RFCs
RFCs |
Title |
---|---|
No new or modified RFCs are supported by this feature, and support for existing RFCs has not been modified by this feature. |
— |
Technical Assistance
Description |
Link |
---|---|
The Cisco Technical Support website contains thousands of pages of searchable technical content, including links to products, technologies, solutions, technical tips, and tools. Registered Cisco.com users can log in from this page to access even more content. |